Create a diagram that depicts the following scenario where Springfield Power Plant’s network has been breached by an attacker. or other software may be used to create the diagram:
- An attacker sends a spear phishing message with the subject “Free Donuts in Cafeteria at Noon: Details in Attachment” containing a malicious Microsoft Word attachment to Homer Simpson who opens the attachment and enables Macros when prompted to view the sweet, sweet donut details. (mmmmmmmm….donuts)
- 1). Once opened, a macro is executed which runs a PowerShell command that establishes a command and control (C2) channel to a domain which ultimately resolves to a machine controlled by the attacker (Frank Grimes) in Amazon’s EC2 cloud.
- 2). Frank Grimes escalates his privileges on Homer Simpson’s computer (HS-CRBNBLB, 172.16.22.4) to gain administrative access and extracts password hashes using Mimi Katz.
- 3). Frank Grimes then uses the shared local administrator password obtained from Homer Simpsons computer to move laterally on the network to Wayland Smithers’ computer (WS-ULLMAN, 192.168.58.41).
- 4). Wayland Smithers’ computer contains an unprotected SSH private key file for an SSH jump box that grants access to the SCADA systems network within the power plant.
- 5). Using those passwords, Frank Grimes authenticates using Putty to the jump box (SCRATCHY, 10.253.65.85) and then uses N map to scan for open ports on the SCADA network (126.96.36.199/23) for open port TCP/666 which controls the reactor.
- 6). Frank identifies open port TCP/666 and connects to the reactor (BLINKY-90, 188.8.131.52) over Telnet without a password required.
- 7). Frank then places malware on the system designed to alter the core temperature of the reactor in the next 30 days.
Defensive Controls Mapping
- Note for each step which defensive toolset or process would be used to help mitigate and detect what Frank Grimes has been able to successfully do as an attacker.